Permissions: Basic users and above, who can manage and configure SSO
Product tier: Available for Advanced and Expert subscription tiers
Note: If you have questions regarding enabling Single Sign-On through ADFS, please click here to contact the Greenhouse Customer Support team.
Add Greenhouse as a Relying Party Trust
Note: These instructions were created using Windows Server 2012 R2 and ADFS 3.0.
Navigate to your AD FS Management tool, then open the Trust Relationships folder in the left sidebar.
In the Trust Relationships folder, open the Relying Party Trusts folder.
Click Add Relying Party Trusts under the Actions bar on the right side of the screen. The Add Relying Party Trust Wizard will open.
Click Start on the Welcome page.
Select Enter data about the relying party manually on the Data Source page and enter the following information for Greenhouse Recruiting:
- ACS URL: Obtained following the steps listed here.
- Entity ID: greenhouse.io (Note: This field does not include https://)
Enter Greenhouse in the Display Name field, and add any additional notes.
Select AD FS profile on the Choose Profile page.
Click Next to skip the Configure Certificate page without making any selections.
On the Configure URL page, take the following steps:
- Check the box for Enable support for the SAML 2.0 WebSSO protocol.
- Enter your Greenhouse Recruiting ACS URL.
Note: Click here to learn how to retrieve your ACS URL from your Greenhouse Recruiting account.
Enter the following information on the Configure Identifers page:
- Relying party trust identifier:
When you're finished, click Add
Note: Multi-factor authentication is not required for this integration. However, if you would like to add it, it can be configured on the next page.
Select Permit all users to access this relying party on the Choose Issuance Authorization Rules page.
Click Next on the Ready to Add Trust page without making any changes.
Select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox on the Finish page. When you're done, click Close.
Create Claim Rules for Greenhouse
Closing the Add Relying Party Trust Wizard will automatically open the Edit Claim Rules Wizard for Greenhouse. Here, you will configure the attributes that AD FS will send to Greenhouse.
Click Add Rule.
Select Send LDAP Attributes as Claims from the dropdown menu.
Name the claim rule LDAP Email and Full Name and select the Active Directory attribute store and enter the following rules in the field.
|LDAP Attribute||Outgoing Claim Type|
Type User.FirstName in the field
Type User.LastName in the field
You will now see the new rule in your list of claim rules for Greenhouse Recruiting. Click Add Rule to add the next rule.
Select Transform an Incoming Claim from the dropdown menu.
Configure the following on the next page:
- Name the claim rule Email Transform
- Set the Incoming claim type to E-Mail Address
- Set the Outgoing claim type to Name ID
- Set the Outgoing name ID format to Email
- Select Pass through all claim values
Both rules will appear in the list. Click Apply and OK to close the Wizard.
Edit Trust Settings
The final step will be to edit the trust settings for Greenhouse.
On the Relying Party Trusts page of the AD FS Management Tool, select Greenhouse from the list of Relying Party Trusts. Then, click Properties under the Actions bar on the right side of the page.
The Identifiers tab should contain your Display name and Greenhouse’s Relying party identifier (In this setup, it will say greenhouse.io).
Set the NotBeforeSkew Parameter
When a user logs in through ADFS, the SAML Response to Greenhouse will contain "NotBefore" and "NotOnOrAfter" attributes that designate the timeframe during which the SAML Response is valid. However, the ADFS server clock and the Greenhouse server clock may become out of sync so that the timestamp of the SAML Response sets to a time earlier than the one established in the "NotBefore" attribute. In this case, the SAML Response will not be valid and the user will not be able to log in.
To ensure that your users are not affected by server synchronization issues, please set a skew of at least two minutes on the "NotBefore" attribute by following the instructions below:
Open your Powershell in ADFS.
Check the current NotBeforeSkew by running the following command in the Powershell:
Get-ADFSRelyingPartyTrust –identifier "greenhouse.io”
In the Powershell response, scroll to the attribute "NotBeforeSkew." The number next to the "NotBeforeSkew" will be the current time skew of that attribute in minutes.
Set the "NotBeforeSkew" to be 2 minutes by running the following command in the Powershell:
Set-ADFSRelyingPartyTrust –TargetIdentifier “greenhouse.io" –NotBeforeSkew 2
Check the new "NotBeforeSkew" by running the following command again:
Get-ADFSRelyingPartyTrust –identifier “greenhouse.io”
*The NotBeforeSkew should now be set to 2.
Configure a Single Logout URL (Optional)
The final step is to configure a Single Logout URL. This is optional.
Open the Greenhouse Properties dialog box by clicking the Properties button in the Actions sidebar.
Navigate to the Endpoints tab. You'll see the ACS URL from Greenhouse's Metadata file in the list of Endpoints. To add a Single Logout URL, click Add SAML.
Configure the following in the Add an Endpoint window:
- Set the Endpoint type to SAML Logout
- Set Binding to POST
- In the Trusted URL textbox, enter your Single Logout URL.
Both the ACS URL from Greenhouse and your Single Logout URL will display in the list of Endpoints for Greenhouse. To complete the process, click Apply, then click OK.
You're now ready to test your ADFS configuration. Please follow the steps here to soft-enable SSO in Greenhouse Recruiting so your team can test the configuration internally.